Slashdot Mirror
Oracle Exec Strikes Out At 'Patch' Mentality
An anonymous reader writes "C|Net has an article up discussing comments by Oracle's Chief Security Officer railing against the culture of patching that exists in the software industry." From the article: "Things are so bad in the software business that it has become 'a national security issue,' with regulation of the industry currently on the agenda, she said. 'I did an informal poll recently of chief security officers on the CSO Council, and a lot of them said they really thought the industry should be regulated,' she said, referring to the security think tank."
Most "engineers" are mechanics. It is indeed time that the software developers, in fact everyone in the industry started to act in a more professional manner, that means understanding the principles, designing and building systems which are known to be able perform to specifications. When I say known, I mean modeled and tested.
You can start taking the profession seriously by joining your local professional engineering body.
Deleted
worth noting that I'm aware that an exploit in the gimp in a corporate environment that would allow an employee to gain root on the machine may or may not matter depending on the setup. if well administered, gaining root would at most allow the user to set up a server or install something. At worst, someone has set up ssh keys to get in other places and you've already given out the keys to the kingdom and left them behind unmonitored 1/8" plexiglass in the lobby.
Anyway, applications that do not listen on a port and are mostly basic user applications probably don't matter in the scheme of things.
This infuriates me to no end, when people use references they saw on the back of a cereal box beacuse they thought it was cute. FTA:
"What if civil engineers built bridges the way developers write code?" she asked. "What would happen is that you would get the blue bridge of death appearing on your highway in the morning."
Im sorry, but there are crazy people scanning my highway for open ports and i dont see script kiddies pinging my roads. Graffati aside, they are left alone. Code that is written works just fine if people dont try to over flow buffers and install rootkits. The bridge I see out of my window is fine because people dont hit it with sledge hammers.
Just my 2 cents . . . .
Since when does being a Socialist mean 'someone who has a different opinion than me'?
People outside the software development field really do make an awful lot of assumptions about the number of things that can go wrong in millions of lines of source code. Specification versus implementation is a tricky beast by itself.
If they really want to follow through with this talk, they'd better be prepared for the design decisions that go along with it, code reuse most of all. One thing that I think is particularly detrimental to code reuse is a proprietary model where the OS and every software vendor re-invents wheels over and over. You're going to need more open specs to change that.
If this is rooting for regulation of the software industry, beware. The big guys have a lot more to gain from this than the small innovators and startups. Who would really want to take advise from stereotyping wags like that anyway?
They are the company who have the worst user interface tools on the planet.
The GUI's would have sucked in the 1980's.
Every SQL statement was designed by a dfferent person, with a different syntax.
If the guy expects us to assume he is an authority on the subject, he should clean up his own rubbish first.
Open Source Drum Kit, LPLC deve board - mjhdesigns.com
You know, I'm starting to get sick of the software = bridges analogy. The fact is, software is not bridges, it's not even close to being bridges. If you're building a bridge, you're asking people to trust their lives to your creation. If you're writing software, you're doing no such thing (disclaimer: yes, some software does get used in life or death situations, but the vast majority is not, so don't pretend it is). If anything, software is closer to something like, say, landscaping, than building bridges. And in fact if you're in the landscaping business mistakes are perfectly tolerable. "Oh, you say that bush died because I planted it wrong? Gee, I'm sorry, let me come out and plant another one. How does two weeks from today work for you?" Do you demand 100% perfection from someone painting your house or doing your yard? Is it the end of the world if they screw up, or do you just have them fix their mistake? Now tell me, which of these approaches is more fitting to apply to software?
Until us white-hats get so annoyed at Oracle's lack of meaningful response that we lose all semblence of patience with them and decide that the public good would best be served via Full-Disclosure of the security holes that Oracle will not fix in a timely manner, so that everyone can make an informed decision whether or not to use Oracle, and (pending Oracle's eventual response, if any) can make an attempt at third-party mitigation via firewalls, SQL proxies, etc.
This has, of course, already happened.
As opposed to the Americans who are technically skilled but less so every year, totally paranoid and suffer from a persecution complex, and are a nation of drug addicted murders who, at least, have moved on from being out and out slavers.
When will the 'mericans WAKE UP ?????
Stop throwing stones !!!!! You live in the biggest glass house of them all!
As a software developer, I lie awake at night dreaming of only having to solve a problem as simple a bridge. It has only one use case: vehicles of a known weight with a known wheel surface traveling in predetermined paths at a predetermined rate of speed. Also, if you dig down deep enough on the Earth, there is always something solid to anchor the bridge. Then bridge developers have millions of existing examples which can be studied and reused.
In software, half the stuff people will do with it were unknown while it was being designed. It's placed on top of existing code (operating systems, existing architectures, outmoded designs) which deceases the stability of your own applications. Runs on systems with wildly different equipment from any test environment available with drivers written by corporate hacks which decrease your applications' performance. Then users use the application with many other applications which can interfere in numerous ways with the other applications while sucking up the required resources (memory, hard-drive space, etc.) your application needs. Which is not even mentioning the malicious attacks by those who only wish to wreak havoc on the systems. Then if any of the myriad of things running on the computer fail, everyone starts screaming that the developers are the problem.
The problem is that people expect the software to perform absolutely flawlessly while doing things that the developer never intended on a wide variety of equipment that cannot not be tested on or controlled by the developer. It's the world of continuous progress. No one changes the use cases of bridges after they are designed. No one every just tacks a few more lanes onto a bridge or decides to make the bridge into an airport runway after it was built. When was the last time someone re-commissioned a pedestrian bridge for railway traffic or built an additional level on the bridge for a shopping mall without significant studies to determine feasibility?
And yet if bridges were scrutinized the same way as software, people would be in an uproar about all the deaths that are only possible because of the bridges: people jump off of them, cars crash over the guard rails, tornadoes and hurricanes wipe them out, and if they are not maintained properly they eventually fall to the ground under their own weight. Books could be filled with the death stories of people killed by bridges. Everyone sees how silly it is to blame a bridge designer when people are not using or maintaining the bridge in the way intended.
This is not to say that there is not badly designed software out there or that much of it couldn't be done better. However, people need to understand that to have completely bullet-proof software would require studying all possible use cases, locking all features and hardware, then designing a system that will perform only those features and nothing else ad infinitum. Of course, that's exactly what a group of mindless, uncreative government regulators will do. I'd rather have innovation and patches and the largest number of technical resources and methodologies available for the problem.
The core problem is that solutions are being locked up by patents and business methodologies rater that allowing all the code to be shared and reused by everyone allowing everyone to benefit from new applications of previous solutions. I don't really expect Oracle to agree since they make a tremendous amount of money from closed code and patents and would really love to kill all new entry into the market. Of course, they don't really believe in making code that works without patching, either, or they would no longer be patching their own supposedly well-designed and executed flagship product. It's just rhetoric and business as usual.
The market should determine the value of a quality product. The only regulation that should change is the ability of software vendors to avoid accountability with the complex EULA. If all the businesses in the world sued Microsoft for the effort to continually patch their software it might just get them to do something. Of course, the cost of the software would rise too, at least in the short term. Secure and bug free code doesn't need to cost significantly more provided you have the correct process and design for quality up front. It seems obvious that Microsoft uses the Beta program and even their initial production releases to test their products. Every release of their OS is cobbled together with wire, gum and duck tape. How about a real security model? How about true multi-user capabilities - not just "My Documents"... How about preventing Rootkit installations period? How is it ok to allow an OS to be so easily attacked and modified without some administrative control? If MSFT and many others approach this topic like a joke, then we need to have our laugh in the courts.
How about we make Oracle a trade? If they throw out the end-user licenses and become liable for the flaws and damage caused by the flaws in their software, we'll protect them from security flaws published without telling Oracle at least 3 months before publication?
To get it right the first time?
We know that will never happen. I mean, to get it right the first time requires months or even years of beta testing using a very LARGE user base in order to get all the quirks and holes and issues out of the system.
It is arrogant to assume that ANY group of programmers can get it right the first time while developing software, and its not to discredit the quality of programming they are offering. Management is largely at fault for why software products fail to work right out of the box. Management decides when a product is shipped, what features go into the product, and ultimately, at what point does a product have few enough bugs to be shipped.
I think it is laughable that an Executive at some company thinks patching is wrong. Most likely, she has been responsible for some problems and boners at Oracle that have required patches or updates.
Software has become too complicated to ensure you have the perfect build being shipped for sale. You can't take a multi-million line application and expect it to work perfectly in the dynamic environment that is an end-user's computer. You can't anticipate that the end user might install some other software that might enable a security hole in your own, you can't anticipate that hackers might find a way into your meticulously crafted security protocols. You simply cannot anticipate what will happen to your software the moment it leaves you build box. A GOOD company will release stable and secure software, but ensure that ANY unanticipated issues are patched quickly. This is SIMPLY the NATURE of the game.
Adding regulation to software development will destroy the industry, period. If it requires a 3rd party to review the software and test it before it gets a stamp of approval this will unnecessarily add months or even years more to the development cycle. Any government regulatory board will be swamped with numerous pending software releases, and they won't be able to handle the sheer amount of quantity of software being released. Also, a regulatory board, even made of highly trained software engineers, will not be able to fully understand every piece of software they are given to test. Unlike a Civil Engineer whose building techniques were literally set in stone thousands of years ago, software engineering is forever changing and adapting, a single person cannot keep up with all the new concepts implemented in software design. In the end, a software regulatory board will be even less effective then the current mentality of software patching, because in the end, the regulatory board will put their seal of approval on a faulty product giving end users a false sense of security. Patching that product will take months because the patches will have to go through the same regulatory process.
It is arrogant for CSO Mary Ann Davidson to make wide sweeping comments about the state of security and quality in the software industry. Oracle isn't standing a the head of the field with perfect software. Look for Oracle Security Patches in Google and you will find pages and pages of links patching Oracle's products. If you are frustrated with patching mentality, clean up your own house. ANY company offering better quality and more secure software right out of the box will be recognized quickly and will quickly rise to the top in success. But you can't yell from the gutters that things need to improve without looking around you and realising where you are.
I haven't thought of anything clever to put here, but then again most of you haven't either.
Here here.
This quote seems appropriate:
[G]overnment's view of the economy could be summed up in a few short phrases: If it moves, tax it. If it keeps moving, regulate it. And if it stops moving, subsidize it. -Ronald Reagan